Last active
September 23, 2017 15:23
-
-
Save duckythescientist/83ffde736ac5e2f128392e981c86e978 to your computer and use it in GitHub Desktop.
PoC for the incorrect 66 instruction prefix found by xoreaxeaxeax/sandsifter
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdint.h> | |
| #include <stdlib.h> | |
| #include <limits.h> | |
| #include <string.h> | |
| #include <unistd.h> | |
| #include <sys/types.h> | |
| #include <sys/stat.h> | |
| #include <fcntl.h> | |
| #include <sys/mman.h> | |
| #include <errno.h> | |
| // gcc -Wl,--section-start=.badjump_loc=0x8100000,--section-start=.longjump_loc=0x8200000,--section-start=.trampoline_return_loc=0x8300000 badjump.c | |
| // qemu-x86_64 -g 1234 ./a.out | |
| // gdb -ex "file ./a.out" -ex "set architecture i386:x86-64:intel" -ex "target remote localhost:1234" -ex "b *badjump" | |
| // asm("nop;nop;nop;nop;nop;nop;nop;nop;nop;nop;nop;nop;\n\t"); | |
| // .badjump_loc=0x8100000 | |
| __attribute__((section(".badjump_loc"))) | |
| void badjump() { | |
| asm(".byte 0x66, 0xE9, 0x00, 0x00, 0x10, 0x00;\n\t"); | |
| puts("I am running in an emulator or on an AMD chip"); | |
| puts(" I treat the jump as SHORT relative"); | |
| } | |
| // .longjump_loc=0x8200000 | |
| __attribute__((section(".longjump_loc"))) | |
| void longjump() { | |
| asm("nop;nop;nop;nop;nop;nop;\n\t"); | |
| puts("I am running on an Intel chip"); | |
| puts(" I ignore the 0x66 opcode (long jump)"); | |
| } | |
| // .trampoline_return_loc=0x8300000 | |
| __attribute__((section(".trampoline_return_loc"))) | |
| void trampoline_return() { | |
| asm("nop;nop;nop;nop;nop;nop;\n\t"); | |
| puts("I am running in an emulator or on an AMD chip"); | |
| puts(" I treat the jump as absolute"); | |
| } | |
| // // asm -c 64 "mov rax, 0x8300005; jmp rax" | |
| // // 48c7c005003008ffe0 | |
| // uint8_t trampoline_sc[] = { | |
| // 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
| // 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
| // 0x48, 0xC7, 0xC0, 0x05, 0x00, 0x30, 0x08, 0xFF, 0xE0 | |
| // }; | |
| // asm -c 32 "mov eax, 0x8300006; jmp eax" | |
| // b805003008ffe0 | |
| uint8_t trampoline_sc[] = { | |
| 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
| 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
| 0xB8, 0x06, 0x00, 0x30, 0x08, 0xFF, 0xE0 | |
| }; | |
| int main(int argc, char** argv) | |
| { | |
| intptr_t addr = 0; | |
| errno = 0; | |
| // mmap to our low address as executable memory | |
| void * trampoline = mmap((void *)(addr & 0x1000), addr % 0x1000 + sizeof(trampoline_sc), PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); | |
| if(errno) { | |
| // mmap failed | |
| printf("Are you running as root? errno: %d\n", errno); | |
| printf("I'll keep going, but expect a segfault\n"); | |
| } else { | |
| // copy our trampoline_sc into memory | |
| memcpy(trampoline + addr % 0x1000, trampoline_sc, sizeof(trampoline_sc)); | |
| } | |
| badjump(); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment